[BUG] menucolors patch segfaults

70 views
Skip to first unread message

Benjamin Schieder

unread,
Feb 18, 2005, 1:52:27 AM2/18/05
to
Hi rgrn.

During my development of the FarmBot (see
<4214a468$0$24928$9b4e...@newsread2.arcor-online.net>) I stumbled over
a bug in the menucolors patch that segfaults nethack.
This has been recreated several times like this:

Dump a lot of stuff on one spot. A lot in this context means more than
1400 pages of stuff. I don't have the exact number handy but it's
somewhere around this number. The nearest I have is 1417 pages.
Then go there and pick something up. Nethack segfaults in
../win/tty/wintty.c:2146

Output of bt full:
(gdb) bt full
#0 0x0813e038 in tty_end_menu (window=140798056, prompt=0x816cc15 "Pick
up what?") at ../win/tty/wintty.c:2146
cw = (struct WinDesc *) 0x81bba00
curr = (tty_menu_item *) 0x8646868
len = -17920
lmax = 23
n = 0
menu_ch = 97 'a'
#1 0x080dc99e in query_objlist (qstr=0x816cc15 "Pick up what?",
olist=0x8643de0, qflags=43, pick_list=0xbffffb70, how=2, allow=0x80dc608
<all_but_uchain>) at pickup.c:761
n = 1
win = 5
curr = (struct obj *) 0x0
last = (struct obj *) 0x81d7ca0
pack = 0x8194ccf ""
any = {a_void = 0x81d7d30, a_obj = 0x81d7d30, a_int =
136150320, a_char = 48 '0', a_schar = 48 '0'}
printed_type_name = 0 '\0'
#2 0x080dde58 in pickup (what=0) at pickup.c:479
i = -1073742992
n = 0
res = 0
count = 0
n_tried = 0
n_picked = 0
pick_list = (menu_item *) 0x0
autopickup = 0 '\0'
objchain = (struct obj *) 0x8643de0
traverse_how = 43
#3 0x08091d3a in dopickup () at hack.c:2000
count = 0
traphere = (struct trap *) 0x0
#4 0x0805d661 in rhack (cmd=0x8194160 ",") at cmd.c:1965
tlist = (const struct func_tab *) 0x0
res = 0
func = (int (*)(void)) 0x8091a11 <dopickup>
do_walk = 0 '\0'
do_rush = 0 '\0'
prefix_seen = 0 '\0'
firsttime = 1 '\001'
#5 0x0804a7eb in moveloop () at allmain.c:408
moveamt = 18
wtcap = 2
change = 0
didmove = 1 '\001'
monscanmove = 0 '\0'
#6 0x0813b156 in main (argc=3, argv=0x8151ed6) at
../sys/unix/unixmain.c:294
fd = 3
dir = 0x3 <Address 0x3 out of bounds>
exact_username = 1 '\001'
(gdb)


If you need more information just ask. I'll leave the gdb open.


Greetings,
blindy

Pasi Kallinen

unread,
Feb 18, 2005, 11:25:22 AM2/18/05
to
Benjamin Schieder <blind...@scavenger.homeip.net> wrote:
> Hi rgrn.
>
> During my development of the FarmBot (see
> <4214a468$0$24928$9b4e...@newsread2.arcor-online.net>) I stumbled over
> a bug in the menucolors patch that segfaults nethack.
> This has been recreated several times like this:
>
> Dump a lot of stuff on one spot. A lot in this context means more than
> 1400 pages of stuff. I don't have the exact number handy but it's
> somewhere around this number. The nearest I have is 1417 pages.
> Then go there and pick something up. Nethack segfaults in
> ../win/tty/wintty.c:2146
>
> Output of bt full:
> (gdb) bt full
> #0 0x0813e038 in tty_end_menu (window=140798056, prompt=0x816cc15 "Pick
> up what?") at ../win/tty/wintty.c:2146
> cw = (struct WinDesc *) 0x81bba00
> curr = (tty_menu_item *) 0x8646868
> len = -17920
> lmax = 23
> n = 0
> menu_ch = 97 'a'

Is this really menucolors' fault? That line is nowhere near any menucolors
stuff, so perhaps you could recompile without any patches and see if the
farmbot still crashes it?

Actually, a quick look through the tty menu code, i see this:

lmax = min(52, (int)ttyDisplay->rows - 1); /* # lines per page */
cw->npages = (cw->nitems + (lmax - 1)) / lmax; /* # of pages */

cw->nitems is short, so it (usually) ranges from -32768 to 32767;
you had probably 24 lines on your terminal, and more than 1400 pages of items,
meaning you had more than 33600 items on one spot; more than the
cw->nitems can handle...

Sounds like time to email the devteam.

--
Pasi Kallinen
pa...@alt.org

Kevin Wayne

unread,
Feb 18, 2005, 12:03:55 PM2/18/05
to
[description of bug]

Did you file a report with the DevTeam? That would be the place to go
with it.

--
Kevin Wayne

"Stark raving sane."
--Rosencrantz and Guildenstern

Jilles Tjoelker

unread,
Feb 18, 2005, 2:06:19 PM2/18/05
to
begin quoting Pasi Kallinen <pa...@alt.org> (Fri, 18 Feb 2005 16:25:22 +0000
(UTC)):

That results in cw->nitems being negative or otherwise wrong. Therefore
cw->npages is also wrong. If it's negative, it will certainly be less
than the stored number of allocated page structures so nothing new will
be allocated. In the following loop to divide the items over the pages,
it follows the linked list, counting the items with an int and
performing int division to calculate the slot of the page list to use.

To solve this, many variables have to be changed from short to int, or
changes should be made that make it the number of items on a square
provably less than 32767.

Even if cw->nitems and related variables were to be changed, overflow of
cw->npages and cw->plist_size would be still fairly close with just
753642 items on a 24-line screen.

Also see include/wintty.h for the definition of the struct WinDesc.

> Sounds like time to email the devteam.

Seconded.

--
Jilles Tjoelker
jilles AT stack DOT nl

Reply all
Reply to author
Forward
0 new messages